Cross-platform Trojan controls Windows and Mac machines
July 25, 2012
BackDoor.DaVinci.1 is developed and sold by HackingTeam which has been in business since 2003. This malicious program is a multi-component backdoor that includes a large number of functional modules, such as drivers that use rootkit technologies, to hide the application in an operating system.
BackDoor.DaVinci.1 is spread as the AdobeFlashPlayer.jar file, signed using an invalid digital certificate. On July 23 a user sent this signed applet to Doctor Web for analysis.
The file determines the OS type and saves and launches an infected application in the compromised system—currently, Doctor Web's virus analysts have Trojan samples intended for Windows and Mac OS X. It is known that a version targeting mobile platforms also exists.
The malware features a modular architecture: the main backdoor component is supplemented with an encrypted configuration file and rootkit drivers. These drivers enable the malicious application to hide its presence. All Trojan versions use the same configuration file containing the modules' settings.
BackDoor.DaVinci.1 allows criminals to gain full control over an infected computer. In addition, the Trojan saves and transmits information about the infected machine to criminals, acts as a key logger, can take screenshots, and intercept e-mail, ICQ, Skype messages and data captured by a microphone or video camera connected to a computer. In addition, the backdoor has a large set of tools to bypass anti-virus software and firewalls, so it may run unnoticed in a system for a long time. Interestingly, BackDoor.DaVinci.1 for Mac OS X is the first instance of malware for the platform that uses rootkit technologies to hide its files and processes.
HackingTeam criminals call their brainchild a 21st-century weapon and sell BackDoor.DaVinci.1 as a remote control and espionage solution. The Trojan poses a serious threat to users, because it not only intercepts any information on the infected computer but also gives criminals full control over a compromised system, so that they can render it non-operational, for example, by damaging or removing its components.
Despite BackDoor.DaVinci.1 developers' claims that this malicious application can withstand any modern anti-virus program, Dr.Web for Windows and Dr.Web for Mac OS X detect and successfully remove BackDoor.DaVinci.1; therefore, Dr.Web users are well protected against this threat.